Python or PHP?
John Bokma
postmaster at castleamber.com
Sat Apr 23 22:49:26 EDT 2005
Peter Ammon wrote:
> Leif K-Brooks wrote:
>> John Bokma wrote:
>>
>>> my $sort = $cgi->param( "sort" );
>>> my $query = "SELECT * FROM table WHERE id=? ORDER BY $sort";
>>
>>
>> And the equivalent Python code:
>>
>>
>> cursor.execute('SELECT * FROM table WHERE id=%%s ORDER BY %s' % sort,
>> [some_id])
>>
>> You're right, of course, about being *able* to write code with SQL
>> injection vulnerabilities in Python. But it's not even close to being
>> as easy as in PHP.
>
> I'm bewildered why you haven't mentioned magic quotes. A one line
> change to the configuration file can render your PHP site almost
> entirely immune to SQL injection attacks.
There is no almost in security.
--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
More information about the Python-list
mailing list